Wireless Access

Hi!

We are currently installing a new WLAN for a large public customer with 2500+ APs. Controle plane security is enabled and we have observed that some APs are provisioned with "factory-cert" and some are using the "switch-cert".

My understanding is, if the AP is coming with a pre-installed factory certificate this will be used for CPsec, if it is coming without the switch certificate is installed.

Now the customer has concerns that the factory-cert may be less secure than the switch-cert.

Therefore my question, what is the factory-cert? Is it a default one which is used for all APs or is it an individual certificate for every AP?

If it is a default certificate, which would be less secure, is there a way to delete it from the AP to force the installation of the switch certificates?

Thanks a lot for every answer!

Best regards

Markus

The "factory-cert" is unique to each AP and stored on the TPM chip of the AP.   When using control plane security, this is typically the certificate used to identify/authorize the AP.    APs without a TPM chip will typically be issued a "switch-cert" from the controller.

Below is an example of a factory cert on an AP-225 TPM.   The CN (Common Name) is unique to the serial number/MAC Address of the AP (altered below).

Version :3
Serial Number :33:5B:2B:7E:00:00:00:51:BC:60
Issuer :/UID=com/UID=arubanetworks/UID=dc-device-ca5/CN=device-ca5
Subject :/CN=CT078XXXX::84:d4:7e:XX:XX:XX
Issued On :Nov 12 05:23:28 2015 GMT
Expires On :Sep 14 03:21:14 2032 GMT
Signed Using :SHA1-RSA
RSA Key size :2048 bits

Hi!

Thanks very much for the answer, I was not able to find that information anywhere else!

So I can convince the customer that the factory-cert is secure and we don't need to worry about that!

Thanks again!

Markus

CPSEC config

I have a AP205. 

Below is the entry in whitelist-db.

Is this AP actually come up with factory cert or switch cert? 

Dec 17 20:26:39 fpcli: USER:admin@10.9.225.230 COMMAND:<control-plane-security > -- command executed successfully
Dec 17 20:26:44 fpcli: USER:admin@10.9.225.230 COMMAND:<control-plane-security no auto-cert-prov > -- command executed successfully
Dec 17 20:27:52 fpcli: USER:admin@10.9.225.230 COMMAND:<whitelist-db cpsec purge > -- command executed successfully
Dec 17 20:30:50 fpcli: USER:admin@10.9.225.230 COMMAND:<whitelist-db cpsec add mac-address "ac:a3:1e:c0:9e:1c" ap-group "default" ap-name "ac:a3:1e:c0:9e:1c" > -- command executed successfully
Dec 17 20:31:07 fpcli: USER:admin@10.9.225.230 COMMAND:<apboot ap-name "ac:a3:1e:c0:9e:1c" > -- command executed successfully
Dec 17 20:31:31 fpcli: USER:admin@10.9.225.230 COMMAND:<logging level debugging security > -- command executed successfully
Dec 17 20:53:55 fpcli: USER:admin@10.9.225.230 COMMAND:<whitelist-db cpsec modify mac-address "ac:a3:1e:c0:9e:1c" cert-type switch-cert > -- command executed successfully
Dec 17 20:54:42 fpcli: USER:admin@10.9.225.230 COMMAND:<whitelist-db cpsec modify mac-address "ac:a3:1e:c0:9e:1c" cert-type factory-cert > -- command executed successfully
Dec 17 20:54:49 fpcli: USER:admin@10.9.225.230 COMMAND:<whitelist-db cpsec modify mac-address "ac:a3:1e:c0:9e:1c" cert-type switch-cert > -- command executed successfully

Hi!

It is running with Factory-Cert as you can see in the state! It is configured to use the switch cert, but as it has the build in factory cert this one is used...!

BR

Markus